CVE-2018-15761: UAA Privilege Escalation
Severity
Critical
Vendor
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- You are using uaa-release versions prior to v64.0
- You are using uaa versions prior to 4.23.0
Description
Cloud Foundry UAA, release versions prior to v64.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes to escalate their privileges.
Mitigation
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- uaa-release versions v64.0
- uaa version 4.23.0
Credit
This issue was responsibly reported by the UAA team.
History
2018-11-01: Initial vulnerability report published.